Formalities

Any natural or legal entities governed by private law who wants to implement automated data processing including personal information must first complete the required procedure with the CCIN.

There are four possible procedures to follow:

  • Ordinary declaration;
  • Simplified declaration;
  • Authorisation request;
  • Legal advisory request.

The data controller must decide which procedure is the most adapted to the processing he wants to implement. To do so, he needs to analyse the purpose of the processing, and depending on this purpose, complete one of the aforementioned procedures (ordinary request, simplified request, authorisation request, or legal advisory request).

 

The ordinary declaration procedure

All natural or legal persons governed by private law usually fall under the ordinary declaration procedure.

For the file to be admissible, it must be duly completed and addressed to the CCIN by the postal service (registered letter with return receipt) or by hand to the Secretariat of the CCIN in return for a receipt.

If the file is complete, the President of the CCIN issues a receipt of implementation to the data controller.

If on the other hand, the file is not complete, the file is considered to be incomplete and returned to the data controller for completion.

The simplified declaration procedure

Only processing that do not clearly establish that the processing operations do not adversely affect the rights and freedoms of the data subjects fall under the simplified declaration procedure.

To be entitled to the simplified procedure, the data controller must verify that the computerised file that he wants to implement is compliant to the conditions according to the type of processing as described by the Ministerial Order.

He will ensure to use no more data than that established by the Order for his type of processing, that is, this order establishes the purposes, the data collected, the authorised storage period, the recipients, and so on

When the processing is fully compliant to the cited Ministerial Order, the data controller must transfer the file of the simplified declaration to the CCIN by postal service (registered letter with return receipt) or by hand to the Secretariat of the CCIN in return for a receipt.

If the file is complete, the President of the CCIN issues a receipt of implementation.

If on the contrary, the file is not complete, the file is considered to be incomplete and returned to the data controller for completion.

Any processing declared in a simplified declaration that is not compliant to the cited Ministerial Order is illegal.

The authorisation request procedure

Automated processing of personal data relating to suspected unlawful activities, offences or security measures or including biometric data required to check persons’ identities, or for the purpose of surveillance are subject to the authorisation of the Commission.

This procedure also addresses all processing requiring data transfers to a country without an adequate level of protection, that is, does not have a legislation equivalent to that of the Legislation Monegasque pertaining to the protection of personal data.
List of countries with an adequate level of protection.

When the authorisation file is ready, it must be addressed, with appendices and any other supporting documents, to the CCIN by the postal service (registered letter with return receipt) or by hand to the Secretariat of the CCIN in return for a receipt.

When the file is considered incomplete, it is returned to the data controller to be regularised.

In the case where the file is considered admissible, the Commission has two months from the date of reception to adjudicate. This delay can be extended once for the same duration.

If the Commission refuses the authorisation, the processing cannot be implemented nor any other operation.

Legal advisory request procedure

This procedure formulates exceptional measures for natural and legal persons governed by private law. Only processing relating to research in the field of health (excluding biomedical research) is subject to this type of procedure.

The legal advisory request complemented with appendices and other supporting documents will help the Commission to evaluate the lawfulness of the processing and the quality of the personal information must be addressed to the CCIN by the postal service (registered letter with return receipt) or by hand to the Secretariat of the CCIN in return for a receipt.

When the file is considered incomplete, it is returned to the data controller to be regularised.

In the case where the file is considered admissible, the Commission has two months from the date of reception to adjudicate. This delay can be extended once for the same duration.

After analysing the file, if the Commission gives its authorisation, the processing can only be implemented after it is published in the Journal of Monaco by the data controller, the legal advisory request from the CCIN, and the decision to implement the processing.

If the Commission issues an unfavourable opinion, the processing cannot be implemented. Only a reasoned Ministerial Order will be able to authorise its implementation when appropriate.

Particular procedures

  • Modification procedure
      The data controller must submit a new request when an element in the authorised processing changes.
  • Deletion procedure
      The data controller is required to inform the CCIN of all deletions in the processing by addressing a letter to the attention of the President of the CCIN.